A new type of email attack is quietly targeting 1.8 billion Gmail users without them ever noticing. Hackers are using Google Gemini, the AI built-in tool in Gmail and Workspace, to trick users into handing over their credentials. Cybersecurity experts found that bad actors are sending emails with hidden instructions that prompt Gemini to generate fake phishing warnings, tricking users into sharing their account password or visiting malicious sites.
These emails are crafted to appear urgent and sometimes from a business. By setting the font size to zero and the text color to white, attackers can insert prompts invisible to users but actionable by Gemini. Marco Figueroa, GenAI bounty manager, demonstrated how such a malicious prompt could falsely alert users that their email account has been compromised, urging them to call a fake 'Google support' phone number provided in to resolve the issue.
To counter these prompt injection attacks, experts recommend that companies configure email clients to detect and neutralize hidden content in message bodies. Additionally, implementing post-processing filters to scan inboxes for suspicious elements like 'urgent messages,' URLs, or phone numbers could bolster defenses against such threats. The trick was uncovered after research, led by Mozilla's 0Din security team, showed proof of one of the attacks last week.
The report demonstrated how Gemini could be fooled into displaying a fake security alert, one that claimed the user's password had been compromised. It looked real but was entirely built by hackers to steal information. The trick works by embedding the prompt in white text that blends into the email background.
So when someone clicks 'summarize this email,' Gemini processes the hidden message, not just the visible text. This type of manipulation, called 'indirect prompt injection,' takes advantage of AI's inability to tell the difference between a user's question and a hacker's hidden message. According to IBM, AI cannot tell the difference, as they both look like text, so AI follows whichever comes first, even if it is malicious.
Security firms like Hidden Layer have shown how an attacker could craft a completely normal-looking message but fill it with hidden codes and URLs, tools designed to fool AI. In one of the cases, hackers sent an email that looked like a calendar invite. But inside the email, hidden commands told Gemini to warn the user about a fake password breach, tricking them into clicking a malicious link.
Google admitted this kind of attack has been a problem since 2024 and said it added new safety tools to stop it, but the trick appears to still be working. In one case, a major security flaw reported to Google showed how attackers could hide fake instructions inside emails that trick Gemini into doing things users never asked for. Instead of fixing the issue, Google marked the report as 'won't fix,' meaning they believe Gemini is working the way it is supposed to.
That decision shocked some security experts because it basically means Google sees this behavior, not recognizing hidden instructions, as expected, not broken. This means that the door is still open for hackers to sneak in commands that the AI might follow without question. Experts are concerned as if the AI cannot tell the difference between a real message and a hidden attack, and Google would not fix the behavior, then the risk remains active. AI is getting more popular for quick decisions and email summarizer.
It is not just Gmail as the risk spreads as AI is incorporated into Google Docs, Calendar, and outside apps. Cybersecurity experts say some of these attacks are even being created and carried out by other AI systems, not just human hackers. Google has reminded users that it does not issue security alerts through Gemini summaries. So if a summary tells you your password is at risk or gives you a link to click, treat it as suspicious and delete the email.
In a recent blog, Google said that Gemini now ask for confirmation before doing anything risky, like sending an email or deleting something. That extra step gives users a chance to stop the action, even if the AI was tricked. Google also displays a yellow banner if it detects and blocks an attack. If the system finds a suspicious link in a summary, it removes it and replaces it with a safety alert. But some problems still have not been solved.